[ https://issues.apache.org/jira/browse/CXF-8613?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
WCM RnD updated CXF-8613: ------------------------- Priority: Critical (was: Major) > High Security issues reported with Apache Santuario library bundled in CXF > 3.4.4 > -------------------------------------------------------------------------------- > > Key: CXF-8613 > URL: https://issues.apache.org/jira/browse/CXF-8613 > Project: CXF > Issue Type: Bug > Affects Versions: 3.4.4 > Reporter: WCM RnD > Priority: Critical > > High Security Vulnerability CVE-2021-40690 has been reported with the Apache > Santuario 2.2.2 library being bundled within CXF 3.4.4. > [https://nvd.nist.gov/vuln/detail/CVE-2021-40690] > h2. CVE-2021-40690 > *Affected Component(s):* Apache Santuario (Java), OpenEJB > *Vulnerability Published:* 2021-09-19 14:15 EDT > *Vulnerability Updated:* 2021-10-01 12:08 EDT > *CVSS Score:* {color:#FF0000}7.5{color} (overall), {color:#FF0000}7.5{color} > (base) > *Summary*: All versions of Apache Santuario - XML Security for Java prior to > 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" > property is not passed correctly when creating a KeyInfo from a > KeyInfoReference element. This allows an attacker to abuse an XPath Transform > to extract any local .xml files in a RetrievalMethod element. > > *Fixed in Apache Santuario version 2.2.3.* > -- This message was sent by Atlassian Jira (v8.3.4#803005)